Adding a new member to a Check Point FW1/Security Gateway cluster/vap-group
Article ID: 167832
Updated On:
Products
XOS
Issue/Introduction
This article describes how to add a new VAP member to an existing Check Point cluster with minimal downtime.This article describes how to add a new VAP member to an existing Check Point cluster with minimal downtime.
Cause
Goal: To increase the VAP count of a Checkpoint Firewall-1 VAP group and add the new blade with minimal downtime.
The following circuit definitions exist on the X-Series prior to configuring for increased vap-count:
Note: A brief outage will be incurred when you enable state synchronization on both cluster members and restart the firewall process for the change to take effect.
The following circuit definitions exist on the X-Series prior to configuring for increased vap-count:
circuit mgmt
device-name mgmt
vap-group fw
ip 192.168.9.1/24 increment-per-vap 192.168.9.2
#
circuit intranet
device-name inta
vap-group fw
ip 10.2.2.1/24
#
circuit sync
device-name sync
link-state-resistant
vap-group fw
ip 192.168.6.1/28 increment-per-vap 192.168.6.2
#
circuit internet
device-name internet
vap-group fw
default-egress-vlan-tag 102
ip 10.5.5.1/24
Note: A brief outage will be incurred when you enable state synchronization on both cluster members and restart the firewall process for the change to take effect.
Resolution
Increase the VAP Count
1. Extend the IP ranges for the mgmt and sync circuits:CBS# configure circuit mgmt vap-group fw ip 192.168.9.1/24 increment-per-vap 192.168.9.3
CBS# configure circuit sync vap-group fw ip 192.168.6.1/24 increment-per-vap 192.168.6.3
2. Increase the vap-count:
CBS# configure vap-group fw vap-count 3
Adjusting vap-count. May take several minutes.......
3. Adjust the load-balance-vap-list so it only includes members 1 and 2:
CBS# configure vap-group fw load-balance-vap-list 1 2
Install the Application on New Member
1. Run the application update command to install the application on the new vap-group member:CBS# application-update vap-group fw
2. You will then see a message stating you need to reload the new vap ****DO NOT RELOAD THIS AT THIS TIME***
Load the New Member
1. You can now safely change the max-load-count of the fw vap-group to 3 to bring up the new member:CBS# configure vap-group fw max-load-count 3
Integrate the New Member
1. Once the APM has rebooted, open SmartDashboard and add the new member to the cluster.2. If you have installed any hotfixes on the existing cluster members, apply the same hotfixes on the new gateway so it runs the same revision. Here is an example for an HFA:
a. Change to the Unix prompt:
CBS# unix su
b. Copy the HFA file to fw_3:
[[email protected] admin]# cp <HFA-filename> /tftpboot/fw_3/tmp
c. Rsh to the new VAP member and install the hotfix:
[[email protected] admin]# rsh fw_3
fw_3 (cbs): root$ cd /tmp
fw_3 (cbs): tmp$ tar xvzf <HFA-filename>
fw_3 (cbs): tmp$ ./UnixInstallScript
At the end you will see a message telling you to reboot. DO NOT REBOOT AT THIS TIME.
3. Exit to the CLI and reboot the NEW APM ONLY. The following example assumes fw_3 runs on an APM in slot 12:
CBS# show ap-vap-mapping
CBS# reload module 12
4. You can now add the new member to the load-balance-vap-list:
CBS# configure vap-group fw load-balance-vap-list 1 2 3
Finally, verify the HA status on each cluster member:
[[email protected] admin]# rsh fw_1
fw_1(cbs): root$ cphaprob stat
fw_1(cbs): root$ exit
[[email protected] admin]# rsh fw_2
fw_2(cbs): root$ cphaprob stat
fw_2(cbs): root$ exit
[[email protected] admin]# rsh fw_3
fw_3(cbs): root$ cphaprob stat
fw_3(cbs): root$ exit
Workaround
N/AFeedback
Yes
No
Powered by
